What is PDP / PEP?
The two halves of modern authorization - one decides if an action is allowed, the other enforces it.
PDP / PEP: definition
Modern authorization separates deciding from enforcing. The PEP sits in the path of an action - an API call, a payment, an AI agent’s tool invocation - and asks the PDP, "should this be allowed?" The PDP evaluates the applicable policies (who is asking, what they want to do, in what context) and returns a decision the PEP enforces. This separation lets policy live and evolve centrally while enforcement happens consistently everywhere.
- PEP: intercepts the request and enforces the outcome (allow / block / step-up)
- PDP: evaluates policy and returns the decision
- Separation centralizes policy while keeping enforcement consistent
- The architecture behind governing both human and AI-agent actions
How Fintra handles it
Fintra applies the PDP/PEP model to AI action governance: when an agent (or a person) attempts a consequential action, an enforcement point intercepts it and the decision engine evaluates policy - approve, challenge (require human step-up), or block - based on the action’s risk and the actor’s trust. The decision and its reasoning are logged, so enforcement is both consistent and auditable.
Worked example
Frequently asked questions
What is the difference between a PDP and a PEP?
The PDP (Policy Decision Point) decides whether an action is permitted by evaluating policy; the PEP (Policy Enforcement Point) sits in the action’s path and enforces that decision. One thinks, the other acts - and separating them keeps policy centralized while enforcement stays consistent.
Why separate the decision from the enforcement?
So policy can be authored, versioned, and updated in one place while being enforced uniformly across many entry points. It also makes governance auditable: every enforcement point consults the same decision logic and logs the outcome.
How does PDP/PEP apply to AI agents?
An agent’s attempt to take an action (via a tool or MCP call) is intercepted by a PEP, which asks the PDP whether policy allows it given the action’s risk and the agent’s trust. The PDP can approve, require human step-up, or block - exactly how Fintra governs agent actions.
Does Fintra use a PDP/PEP architecture?
Yes. Fintra’s AI action governance intercepts consequential actions at enforcement points and evaluates them against policy in a decision engine - returning approve, challenge, or block, and logging the decision and reasoning for audit.
Stay in the loop
One practical finance briefing a week - new guides, checklists, and benchmarks.
See how Fintra handles the numbers behind this term
Fintra is the AI Finance Operating System for SMBs - accounting, planning, payroll, equity, and AI governance on one shared data model, with a named human approving anything consequential. Free to start, no card required.
Talk to us